Join Mark Thomas for an in-depth discussion in this video Security management, part of Cert Prep: ITIL Foundations.
- Okay, only a couple of processes left in Service Design. We finished service, IT service continuity management. Now let's go on to security, IT, information security management. Now, remember ITIL is not a standard, therefore the security process within ITIL, this is not a security standard. You basically have your standards and you have your regulatory rules that you have to follow. Within ITIL we basically have to have a process that supports those, and are in line with our fiduciary requirements, security requirements, and aligned with the customer needs, okay? So, information security management is the process that aligns security with business security from the IT and business security side and make sure the information security is effectively managed.
So, we have to have a solid process to ensure that we're protecting the critical information. That's one of our most important assets, after people, and that's information, okay? We need protect that, ensure that we have the ability to use that effectively in the organization. The purpose of information security management is to align IT security with business security and ensure that the confidentiality, integrity, and availability of the organization's assets, information, data and IT services always matches the agreed needs of the business.
So, ensure that we look at the security risks, identify those risks, analyze those risks and manage the risk. You start hearing risk management come up again, another part of our warranty process, security. Are we providing security for these? Make sure that information resources, obviously, are used responsibly, and that we protect those resources. Protect the interests of those relying on the information, and the systems and communications that deliver that, okay, and protect them from harm. So, information security management must be considered part of your overall governance program, okay? Because there's a lot of regulatory, there's a lot of compliance concerns that you have around information security management.
Okay, so let's talk on the next piece here. We've got information security makes sure that we are using the resources in an appropriate manner, and then we're ensuring that we meet the following objectives. You've heard me come up with a couple of these in the past. You've heard me say CIA before, right? CIA, confidentiality, integrity, and availability are the top three things you need to ensure that security management does, okay? Confidentiality, we're protecting the data from unauthorized access, okay? Integrity, making sure that it's accurate, making sure that it's protected from unauthorized change, and the third one of those, availability, it's available when required, okay? If we have information and we have data that is so highly classified that the people who need it can't get to it, we have something wrong with how we are aligning with our organization, okay? Besides, when we classify information, that's a collaborative effort with the business.
IT, we can't necessarily, because it's business data, right? So, we need to make sure we get help classifying this. Of course, we've got what called appropriateness and trustworthiness. Appropriateness, meaning the services are used in an appropriate manner based on organizational policies and industry practices. And trustworthiness, that the transactions and the data exchanges can be trusted. Those are pretty big things from an objective standpoint that I want to make sure we understand. So, the scope there that we're talking about, all of these things that we're doing, so we have a scope and it's organizational wide.
We have to do these across the organization, not just one little piece. And so, make sure that the business security, the business policies and plans are aligned with the security requirements, that we are aligning with those security requirements. We're looking at this from a future business plan perspective, legislative, regulatory, compliance are obligations and responsibilities we have to consider here, okay? So as we want to take a look at some of the next pieces of information security management, it makes sense that we have to have an information security policy, okay? That policy, that policy should be consistent with and aligned with our organization, okay, with the business objectives and the business goals.
That's why the security policy exists, to support the business. So, have to have full support from top management. Everybody in the organization has to have access to this security policy, right? Not just a few select people, everybody has to have access to that policy. So, as we're taking a look at this, what this security policy actually includes, basic things that might make sense. First of all, you gotta have the policy, and policies around use and misuse of IT assets, and information around access and password controls.
Remember, we have a process called access management. Access management uses the security policy to determine how, who, when and where we provide access to users. Password, we talked about that. Policies for email, internet, supplier access, how we provide that access and at what point do I no longer need access. Asset disposal, I think that's kind of a big issue for a lot of organizations, what's our policy around this. Now, make sure that everybody has access, but also, it's really referred to in our SLAs, Service Level Agreements, and our OLAs, Operational Level Agreements, because the security policy is going to drive a lot of the practices, and in many cases, some constraints for some processes, because there are rules that we have apply, okay? So, all this information that we have by information security management, we've got a lot of stuff, right? We've got, security controls that we have, we've got our risks, our breaches, processes, reports, all this data that we have, monitoring information, as a part of, information security management.
We gotta keep this somewhere, okay? We can't have a decentralized approach to this. So, there's a term that we have that we call an ISMS, or Information Security Management System, which is right here. Stores that information, and it comes as no surprise that we probably will see this ISMS, Information Security Management System, we may store that as, information, part of our SKMS as well, okay? And so, there's definitely a link within our SKMS, also CMDB and CMS, we've talked a little bit about those.
Configuration Management Database, and Configuration Management System, to link assets to certain security policies and so on. IT service, excuse me, security management, very important, have your policy, everybody has access to that, ensure that it is aligned with our customers, provide confidentiality, integrity, and availability.
ITIL® is a registered trade mark of AXELOS Limited. This ITIL Foundations course is offered by Interface Technical Training, ATO of EXIN.